Several vulnerabilities have been discovered in mapserver, a CGI-based
web framework to publish spatial data and interactive mapping applications.
The Common Vulnerabilities and Exposures project identifies the following
problems:

Missing input validation on a user supplied map queryfile name can be
used by an attacker to check for the existence of a specific file by
using the queryfile GET parameter and checking for differences in error
messages.

Due to missing input validation when saving map files under certain
conditions it is possible to perform directory traversal attacks and
to create arbitrary files.
NOTE: Unless the attacker is able to create directories in the image
path or there is already a readable directory this doesn't affect
installations on Linux as the fopen() syscall will fail in case a sub
path is not readable.

It was discovered that mapserver is vulnerable to a stack-based buffer
overflow when processing certain GET parameters. An attacker can use
this to execute arbitrary code on the server via crafted id parameters.

An integer overflow leading to a heap-based buffer overflow when
processing the Content-Length header of an HTTP request can be used by an
attacker to execute arbitrary code via crafted POST requests containing
negative Content-Length values.

An integer overflow when processing HTTP requests can lead to a
heap-based buffer overflow. An attacker can use this to execute arbitrary
code either via crafted Content-Length values or large HTTP request. This
is partly because of an incomplete fix for
CVE-2009-0840.

For the oldstable distribution (etch), this problem has been fixed in
version 4.10.0-5.1+etch4.

For the stable distribution (lenny), this problem has been fixed in
version 5.0.3-3+lenny4.

For the testing distribution (squeeze), this problem has been fixed in
version 5.4.2-1.

For the unstable distribution (sid), this problem has been fixed in
version 5.4.2-1.